- Jamf Nation Community
- Products
- Jamf Pro
- Removing Local Admin Privilege using a Script
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Removing Local Admin Privilege using a Script
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2023 12:26 PM
Hello,
I been trying to remove local admin privilege for all users, but with an exception of two Local accounts. I was able to find a script from a previous post. For the most part it works, but one of the local admin account name has spaces in it. So when I run the script it takes in each word as a separate user. For example: if the admin account name is "The Admin" it would run as "The" as one account name and "Admin" as another account name. Not sure why the space is a delimiter. Any help would be appreciated!
#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c -18)
for user in $adminUsers
do
if [ "$user" != "root" ] && ( [ "$user" != "The Admin" ] || [ "$user" != "secondAdmin" ] )
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2023 12:58 PM
Spaces are delimeters in a BASH array. You are creating the array adminUsers and then looping through it. if you were to echo $adminUsers you see something like:
root user1 The Admin secondAdmin
To BASH that is 5 different array elements.
The big question is how do have a username with a space in it? That should not be possible. Are you sure "The Admin" is a username and not a Real Name?
Also, your cut command in the 2nd line is incorrect. It should cut -c 18- . Otherwise you are getting the first 18 characters.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-14-2023 03:24 PM
Hello, Thanks for the response!
After doing some digging, a previous person that used to work on Jamf, created this setting in PreStage enrollment where it created a local admin account with spaces in it. And I guess by creating it this way, the username was able to have space in it?
My worry was that other devices may have different usernames with spaces in it. So if I need to remove admin privilege from it, it wouldn't work. But from what it sounds like, there should be no other accounts with spaces in them, unless it was done by how I mention above.
I thought the - after the 18 means it cut the characters after the 18th character? When I tried the script with the dash after the 18, and I did an echo of the results, it returned with nothing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2023 06:40 AM - edited 02-15-2023 06:43 AM
Could you use the user ID instead? Not that I know if dseditgroup takes GIDs for operations.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2023 10:33 AM
Ignoring the space existing in a username issue the scripting part could be done this way
# by replacing [ with [[ you're able to wildcard the comparison.
# instead of seeing if the username = "The Admin" see if it = *"Admin"*
if [[ "$user" != "root" ]] && [[ "$user" != *"Admin"* ]] && [[ "$user" != "secondAdmin" ]] ; then
Reply
